SSL / TLS in Database Connection Strings

Why SSL/TLS Matters

Encrypting your database connection prevents eavesdropping on credentials and query data as they travel over the network. This is critical for cloud-hosted databases where traffic crosses the public internet, and a best practice even within private networks.

SSL by Database

PostgreSQL

PostgreSQL uses the sslmode parameter:

postgresql://user:pass@host:5432/db?sslmode=require

Available modes (from least to most secure):

Mode	Encryption	Certificate Check
disable	No	No
allow	Optional	No
prefer	Preferred	No
require	Yes	No
verify-ca	Yes	CA only
verify-full	Yes	CA + hostname

For production, use verify-full when possible. Cloud providers like AWS RDS and Supabase provide downloadable CA certificates.

MySQL

MySQL uses the ssl or sslmode parameter:

mysql://user:pass@host:3306/db?ssl=true

Or with certificate paths in key-value format:

SslMode=Required
SslCa=/path/to/ca.pem
SslCert=/path/to/client-cert.pem
SslKey=/path/to/client-key.pem

MongoDB

MongoDB uses the tls parameter (replacing the deprecated ssl parameter):

mongodb://user:pass@host:27017/db?tls=true&tlsCAFile=/path/to/ca.pem

MongoDB Atlas connections (mongodb+srv://) enable TLS by default.

Redis

Redis uses the rediss:// protocol (double 's') for TLS:

rediss://user:pass@host:6380/0

MSSQL

SQL Server uses the encrypt parameter:

sqlserver://user:pass@host:1433;database=db;encrypt=true;trustServerCertificate=false

Certificate Files

Many SSL configurations require specifying certificate files. Common parameters across databases include CA certificate, client certificate, and client key paths. Store these files securely and reference them via environment variables rather than hardcoding paths.